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Background 


The Information Commissioner is responsible for enforcing and promoting 
compliance with the UK General Data Protection Regulation (UK GDPR), 
the Data Protection Act 2018 (DPA18), the Privacy and Electronic 
Communications Regulations (PECR) and other data protection legislation. 
Section 146 of the DPA18 provides the Information Commissioner’s Office 
(ICO) with the power to conduct compulsory audits through the issue of 
assessment notices. Section 129 of the DPA18 allows the ICO to carry out 
consensual audits. The ICO sees auditing as a constructive process with 
real benefits for controllers and so aims to establish a participative 
approach. 


Following a test data purchase initiative run by the ICO in 2018 
Emailmovers Ltd (EML) were investigated as serious concerns were 
identified about their data protection compliance. 


The investigation into EML resulted in an Enforcement Notice being issued 
on the 22nd June 2021 requiring compliance with GDPR Art 5(1)(a). 


EML responded to the ICO on 15 July 2021 to inform that their processing 
was compliant and invited the Commissioner to ‘review our systems to 
confirm that this processing has ceased.’ 


The ICO’s Assurance department contacted EML on 19 August 2021 to 
accept EML’s invitation. The audit took place during the week beginning 
29 November 2021. 


The scope of the audit focussed on the processing of personal data within 
EML’s marketing database and covered the following key control areas: 


Governance 

Sourcing personal data 

Transparency and Lawful basis for processing 
Data supply and sharing 

Individual Rights 

Requirements of the enforcement notice 


The purpose of the audit was to provide the Information Commissioner 
with an assurance of the extent to which EML, within the scope of the 
audit, is complying with data protection legislation and assess the 
adequacy of the measures that were introduced as a result of the 
enforcement notice. 


Priority of recommendations summary 


Where opportunities for improvement were identified recommendations 
have been made, primarily around enhancing existing processes to 
facilitate compliance with data protection legislation. In order to assist 
EML in implementing the recommendations, each has been assigned a 
priority rating based upon the risks that they are intended to address. The 
ratings are assigned based upon the ICO’s assessment of the risks 
involved. EML’s priorities and risk appetite may vary and, therefore, they 
should undertake their own assessments of the risks identified. 


A summary of the ratings assigned within this report is shown below. 


Priority Ratings Summary 


a Urgent = High = Medium 


The pie chart above shows a breakdown of the priorities assigned to the 
recommendations made. There are eight urgent, seven high and two 
medium priority recommendations. 


Urgent priority recommendations are intended to address risks which 
represent clear and immediate risks to EML’s ability to comply with the 
requirements of data protection legislation. 


Summary of Findings 


Enforcement Notice. 


The ICO were pleased to confirm that as a result of the action taken and 
measures introduced by EML, the requirements of the enforcement 
noticed issued to them in June 2021 have been met. 


Good Practice 


The ICO acknowledge the following areas of good practice demonstrated 
by EML during the audit. 


A proactive approach to providing privacy information to individuals 
who are included in the marketing database which ensures they 
have control over the use of their personal data and the ability to 
exercise the rights afforded to them in data protection legislation. 
The development and regular delivery of bespoke training modules 
which include data protection requirements in the context of EML’s 
own processing. 

Major decisions related to data processing, policies and procedures 
must be reviewed and approved by the managing director. 


Areas for Improvement 


The audit identified some areas where further improvements are required 
to achieve compliance with data protection legislation. 


There is limited requirement for decisions to be recorded or justified 
in sufficient detail to demonstrate accountability to the UK GDPR as 
required by Article 5(2). 

EML have not determined or documented retention periods for all 
personal data processed which means they are not meeting the 
requirements or Article 5(1)(e) of the UK GDPR. 

EML do not maintain a record of processing activity which fulfils all 
the requirements of Article 30 of the UK GDPR. 

There is no mechanism for notifying recipients of personal data 
about the existence and outcomes of individual rights requests 
received and actioned by EML which means they are not complying 
with Article 19 of the UK GDPR. 


5 Appendices 


Appendix One - Recommendation Priority Ratings Description 


Medium Priority Recommendations - 


These recommendations address medium level risks which can be 
tackled over a longer timeframe or where some mitigating controls are 
already in place, but could be enhanced. 


Low Priority Recommendations - 


These recommendations represent enhancements to existing controls to 
ensure low level risks are fully mitigated or where we are 
recommending that the data controller sees existing plans through to 
completion. 


The matters arising in this report are only those that came to our attention 
during the course of the audit and are not necessarily a comprehensive 
statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, 
governance and internal control arrangements in place rest with the 
management of Emailmovers Ltd. 


This report is solely for the use of Emailmovers Ltd. The scope areas and 
controls covered by the audit have been tailored to Emailmovers Ltd and as a 
result, the audit report is not intended to be used in comparison with other ICO 
audit reports. We take all reasonable care to ensure that our audit report is fair 
and accurate but cannot accept any liability to any person or organisation, 
including any third party, for any loss or damage suffered or costs incurred by 
it arising out of, or in connection with, the use of this report, however such loss 
or damage is caused. We cannot accept liability for loss occasioned to any 
person or organisation, including any third party, acting or refraining from 
acting as a result of any information contained in this report. 


